Quoting Tilman Schmidt <[EMAIL PROTECTED]>: > That distinction is immaterial. The milter comes as part of the ClamAV > package. s/ClamAV/clamav-milter/ throughout my posting if you want, it > doesn't change my argument in any way.
I think it completely changes your argument. Had you done that in the first place, I never would have replied in fact. >> And the milter is designed to >> work with sendmail. And if leaving this enabled by default produces >> an exploitable sendmail, then it is wrong. > > The premise of this implication is false, therefore the conclusion > doesn't follow. Passing E-mail addresses containing shell metacharacters > does not produce an exploitable sendmail. Okay, so poor wording on my part. Sorry. > It is clamav-milter's place to pass messages to clamd for matching them > to signatures. How about: It is clamav-milter's place to pass messages to clamd for matching them to signatures in a safe and secure manor. > Most programs "allow you to become exploitable". It is always up to you > to configure them so that this doesn't happen. And if it is not possible to configure it to do so? >> IMHO, the proper thing to do is to document this in the milter docs. >> Whether it becomes a configurable option or not, it should certainly >> be documented that the default is to block such addresses. > > That would have been the minimum. Yes, I can agree with that. > But it is still wrong for a milter > whose advertised purpose is to pass messages to a virus scanner, to > start blocking messages based on unrelated criteria like allegedly > illegal characters in addresses. In that case, most all of the milters I have used or considered for use are wrong. So clamav-milter is at least in good company. :) > Ok, point taken. Consider them unconfused. Now please let us discuss > the clamav-milter program, distributed with ClamAV but separate from it, > and how it should behave with respect to the recipient addresses of the > mails it processes. My position is still that checking the legality of > those is not its job and it should leave them alone. My opionion is that if possible, without causing harm, it should do as you say. If doing so causes harm, then it must work to remedy that somehow. >> It would be irresponsible for a milter to knowingly allow a security hole >> by default. Protecting against such a hole is the only reasonable thing >> to do. How to best protect that hole is still a subject of debate. > > Clamav-milter cannot protect my mail server against all possible > security holes, and shouldn't even try. I only think there is an obligation if the problem is a known problem, and there is no other known fix. > It has a precise job, which is > to check mails for known viruses by passing them to ClamAV, and block > their delivery if the check comes back positive. Other security risks > must be covered by other means. Well, we disagree on that point. It is a security tool, and as such has an even greater burden to try to be as secure as possible. Even without that, all programs should strive to be as safe as possible, and to avoid known security issues. That is all they were trying to do: avoid a known security issue. Did they do that the best way possible? Probably not. But should they not have done anything at all? Certainly not! > Thanks, > Tilman -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
